Re: DNF5: Checking signatures of packages installed out of a repository?

On Sun, Nov 05, 2023 at 12:04:09PM +, Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Nov 02, 2023 at 09:58:10AM -0400, Christopher wrote: > > On Wed, Nov 1, 2023 at 5:39 PM Zbigniew Jędrzejewski-Szmek > > wrote: > > > > > > On Wed, Nov 01, 2023 at 10:49:36AM -0700, Kevin Fenzi wrote: > > > > On

Re: DNF5: Checking signatures of packages installed out of a repository?

Dne 20. 11. 23 v 16:40 Neal Gompa napsal(a): On Tue, Nov 14, 2023 at 5:02 PM Leon Fauster via devel wrote: Am 14.11.23 um 22:04 schrieb Christopher: On Tue, Nov 14, 2023 at 9:30 AM Michael Catanzaro wrote: On Tue, Nov 14 2023 at 08:16:39 AM -0500, Christopher wrote: I think for the sake

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Nov 14, 2023 at 5:02 PM Leon Fauster via devel wrote: > > Am 14.11.23 um 22:04 schrieb Christopher: > > On Tue, Nov 14, 2023 at 9:30 AM Michael Catanzaro > > wrote: > >> > >> On Tue, Nov 14 2023 at 08:16:39 AM -0500, Christopher > >> wrote: > >>> I think for the sake of security, it'd

Re: DNF5: Checking signatures of packages installed out of a repository?

Not saying I am going to request Fedora to benefit from this, but since you have mentioned such feature, it would be super useful, if you also linked to an appropriate documentation. Vít Dne 14. 11. 23 v 14:12 Jaroslav Mracek napsal(a): I would like to highlight a cool feature of DNF5 -

Re: DNF5: Checking signatures of packages installed out of a repository?

V Tue, Nov 14, 2023 at 01:25:08PM -0500, Christopher napsal(a): > On Tue, Nov 14, 2023 at 9:24 AM Petr Pisar wrote: > > > > V Tue, Nov 14, 2023 at 08:16:39AM -0500, Christopher napsal(a): > > > On Tue, Nov 14, 2023 at 8:03 AM Jaroslav Mracek > > > wrote: > > > > > > > > I believe that one of

Re: DNF5: Checking signatures of packages installed out of a repository?

* Michael Catanzaro: > On Tue, Nov 14 2023 at 08:16:39 AM -0500, Christopher > wrote: >> I think for the sake of security, it'd be better if this were on by >> default, and you just had to specify the --nogpgcheck >> For convenience, the error message should probably say "Error: GPG >> check

Re: DNF5: Checking signatures of packages installed out of a repository?

Am 14.11.23 um 22:04 schrieb Christopher: On Tue, Nov 14, 2023 at 9:30 AM Michael Catanzaro wrote: On Tue, Nov 14 2023 at 08:16:39 AM -0500, Christopher wrote: I think for the sake of security, it'd be better if this were on by default, and you just had to specify the --nogpgcheck For

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Nov 14, 2023 at 9:30 AM Michael Catanzaro wrote: > > On Tue, Nov 14 2023 at 08:16:39 AM -0500, Christopher > wrote: > > I think for the sake of security, it'd be better if this were on by > > default, and you just had to specify the --nogpgcheck > > For convenience, the error message

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Nov 14, 2023 at 9:24 AM Petr Pisar wrote: > > V Tue, Nov 14, 2023 at 08:16:39AM -0500, Christopher napsal(a): > > On Tue, Nov 14, 2023 at 8:03 AM Jaroslav Mracek wrote: > > > > > > I believe that one of the strong complains was related to not signed > > > packages. The use case is that

Re: DNF5: Checking signatures of packages installed out of a repository?

Hello all, On Tuesday, November 14, 2023 8:16:39 AM EST Christopher wrote: > On Tue, Nov 14, 2023 at 8:03 AM Jaroslav Mracek > wrote: > > > > I believe that one of the strong complains was related to not signed > > packages. The use case is that when I build RPMs locally and then I > > install

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Nov 14 2023 at 08:16:39 AM -0500, Christopher wrote: I think for the sake of security, it'd be better if this were on by default, and you just had to specify the --nogpgcheck For convenience, the error message should probably say "Error: GPG check FAILED (try again with '--nogpgcheck'

Re: DNF5: Checking signatures of packages installed out of a repository?

V Tue, Nov 14, 2023 at 08:16:39AM -0500, Christopher napsal(a): > On Tue, Nov 14, 2023 at 8:03 AM Jaroslav Mracek wrote: > > > > I believe that one of the strong complains was related to not signed > > packages. The use case is that when I build RPMs locally and then I install > > them (see

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Nov 14, 2023 at 8:03 AM Jaroslav Mracek wrote: > > I believe that one of the strong complains was related to not signed > packages. The use case is that when I build RPMs locally and then I install > them (see bellow). > > dnf install *.rpm --setopt=localpkg_gpgcheck=true > ... >

Re: DNF5: Checking signatures of packages installed out of a repository?

I would like to highlight a cool feature of DNF5 - drop-in directory for configuration overrides, where distribution may modify configuration of DNF5. Why I am mentioning it, because it allows to make a decision by distribution and the behavior might be modify outside of DNF5 package. Therefore

Re: DNF5: Checking signatures of packages installed out of a repository?

I believe that one of the strong complains was related to not signed packages. The use case is that when I build RPMs locally and then I install them (see bellow). dnf install *.rpm --setopt=localpkg_gpgcheck=true ... Package dnf-4.17.1-1.git.9598.552e61e.fc38.noarch.rpm is not signed Package

Re: DNF5: Checking signatures of packages installed out of a repository?

On Sun, Nov 5, 2023 at 3:54 PM Samuel Sieb wrote: > > On 11/2/23 06:36, Christopher wrote: > > On Wed, Nov 1, 2023 at 1:50 PM Kevin Fenzi wrote: > >> > >> On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: > >>> It's also not clear when this option would take effect. Would it take >

Re: DNF5: Checking signatures of packages installed out of a repository?

On 11/2/23 06:36, Christopher wrote: On Wed, Nov 1, 2023 at 1:50 PM Kevin Fenzi wrote: On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: It's also not clear when this option would take effect. Would it take effect if I did `dnf install /path/to/local/file` or just when I did no,

Re: DNF5: Checking signatures of packages installed out of a repository?

On Thu, Nov 02, 2023 at 09:58:10AM -0400, Christopher wrote: > On Wed, Nov 1, 2023 at 5:39 PM Zbigniew Jędrzejewski-Szmek > wrote: > > > > On Wed, Nov 01, 2023 at 10:49:36AM -0700, Kevin Fenzi wrote: > > > On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: > > > > On Tue, Oct 31, 2023

Re: DNF5: Checking signatures of packages installed out of a repository?

On Thu, Nov 2, 2023 at 1:33 PM Brian C. Lane wrote: > > I think we should: > > * Switch the default local gpg check to true > - this removes surprise when you learn you've been installing > unchecked software for ... years? If they want it, it can be set > back to false by the user. >

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Oct 31, 2023 at 04:23:41PM +0100, Petr Pisar wrote: > The nonchecking behavior probably exists to make installing local packages > easy. If DNF5 would insist on checking the signatures, Fedora users would have > to pass --no-gpgchecks option to their "dnf5" commands to override the new >

Re: DNF5: Checking signatures of packages installed out of a repository?

On Wed, Nov 1, 2023 at 5:39 PM Zbigniew Jędrzejewski-Szmek wrote: > > On Wed, Nov 01, 2023 at 10:49:36AM -0700, Kevin Fenzi wrote: > > On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: > > > On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi wrote: > > > > > > > > FWIW, from what I can

Re: DNF5: Checking signatures of packages installed out of a repository?

On Wed, Nov 1, 2023 at 1:50 PM Kevin Fenzi wrote: > > On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: > > On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi wrote: > > > > > > FWIW, from what I can recall, yum used to check all packages, but this > > > resulted in tons of people

Re: DNF5: Checking signatures of packages installed out of a repository?

On 11/1/23 17:09, Christopher wrote: On Wed, Nov 1, 2023 at 5:53 AM Paul Howarth wrote: Maybe not using dnf, but you can check it using rpm directly: $ wget mypackage.rpm $ rpm --checksig mypackage.rpm Yeah, that's why DNF is more convenient for this... the whole point of using DNF to

Re: DNF5: Checking signatures of packages installed out of a repository?

V Tue, Oct 31, 2023 at 04:49:30PM -0700, Kevin Fenzi napsal(a): > FWIW, from what I can recall, yum used to check all packages, but this > resulted in tons of people complaining because they did not want it to > check their local packages. So, a localpkg_gpgcheck option was added and > set to

Re: DNF5: Checking signatures of packages installed out of a repository?

On Wed, Nov 01, 2023 at 10:49:36AM -0700, Kevin Fenzi wrote: > On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: > > On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi wrote: > > > > > > FWIW, from what I can recall, yum used to check all packages, but this > > > resulted in tons of people

Re: DNF5: Checking signatures of packages installed out of a repository?

On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: > On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi wrote: > > > > FWIW, from what I can recall, yum used to check all packages, but this > > resulted in tons of people complaining because they did not want it to > > check their local

Re: DNF5: Checking signatures of packages installed out of a repository?

> Christopher writes: >> $ wget mypackage.rpm >> $rpm --checksig mypackage.rpm > the whole point of > using DNF to install a local file is for consistency of using the same > command as for repo packages, not manually altering the RPM database > outside of YUM/DNF (that results in a

Re: DNF5: Checking signatures of packages installed out of a repository?

On Wed, Nov 1, 2023 at 5:53 AM Paul Howarth wrote: > > On Tue, 31 Oct 2023 12:48:31 -0400 > Christopher wrote: > > I'm actually a bit concerned about this thread, because I assumed DNF4 > > and DNF5 would check signatures by default today, and that it would > > only skip if `--nogpgcheck` was

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi wrote: > > FWIW, from what I can recall, yum used to check all packages, but this > resulted in tons of people complaining because they did not want it to > check their local packages. So, a localpkg_gpgcheck option was added and > set to false. dnf4

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, 31 Oct 2023 12:48:31 -0400 Christopher wrote: > I'm actually a bit concerned about this thread, because I assumed DNF4 > and DNF5 would check signatures by default today, and that it would > only skip if `--nogpgcheck` was passed as an option. If it sometimes > skips the GPG check without

Re: DNF5: Checking signatures of packages installed out of a repository?

FWIW, from what I can recall, yum used to check all packages, but this resulted in tons of people complaining because they did not want it to check their local packages. So, a localpkg_gpgcheck option was added and set to false. dnf4 still has this option. It's also worth noting that if you pass

Re: DNF5: Checking signatures of packages installed out of a repository?

Am Di., 31. Okt. 2023 um 19:31 Uhr schrieb Christopher < ctubb...@fedoraproject.org>: > On Tue, Oct 31, 2023 at 1:38 PM Vít Ondruch wrote: > > > > > > Dne 31. 10. 23 v 16:23 Petr Pisar napsal(a): > > > Hello, > > > > > > DNF5 got a complaint > > >

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, 31 Oct 2023 16:23:41 +0100 Petr Pisar wrote: > I would would like to hear your opinion: Should DNF5 start verifying > all packages? Should DNF5 keep ignoring signatures for > out-of-repository packages? Or should rather narrow the verification > skip to packages from a local file system?

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Oct 31, 2023 at 1:38 PM Vít Ondruch wrote: > > > Dne 31. 10. 23 v 16:23 Petr Pisar napsal(a): > > Hello, > > > > DNF5 got a complaint > > that "dnf > > update > > https://...; skips verifying package signatures: > > > > $

Re: DNF5: Checking signatures of packages installed out of a repository?

Dne 31. 10. 23 v 16:23 Petr Pisar napsal(a): Hello, DNF5 got a complaint that "dnf update https://...; skips verifying package signatures: $ sudo dnf update

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Oct 31, 2023 at 11:57 AM Petr Pisar wrote: > > V Tue, Oct 31, 2023 at 04:32:09PM +0100, Fabio Valentini napsal(a): > > On Tue, Oct 31, 2023 at 4:24 PM Petr Pisar wrote: > > > > > > Hello, > > > > > > DNF5 got a complaint > > >

Re: DNF5: Checking signatures of packages installed out of a repository?

V Tue, Oct 31, 2023 at 04:32:09PM +0100, Fabio Valentini napsal(a): > On Tue, Oct 31, 2023 at 4:24 PM Petr Pisar wrote: > > > > Hello, > > > > DNF5 got a complaint > > that "dnf > > update > > https://...; skips verifying package

Re: DNF5: Checking signatures of packages installed out of a repository?

On Tue, Oct 31, 2023 at 4:24 PM Petr Pisar wrote: > > Hello, > > DNF5 got a complaint > that "dnf update > https://...; skips verifying package signatures: > > $ sudo dnf update >

DNF5: Checking signatures of packages installed out of a repository?

Hello, DNF5 got a complaint that "dnf update https://...; skips verifying package signatures: $ sudo dnf update